Create Vulnerable Items with SAM NVD

Bel_n Dom_nguez · ‎04-16-2019

Hello everyone!

I'm implementing Vulnerability Response for a client and I did the upgrade to Madrid yesterday.

I'm trying to update my VIs through SAM NVD. I did import all the feeds on the NVD libraries.

Nothing is created.... all the business rules related with Vulnerability Response are active.

¿Any idea of what is happening?

Thank you!!!

maulik_shah · ‎07-14-2019

If the vulnerable software doesn't match the software discovery model exactly, the system doesn't create the vulnerable items. You will have to manually select the software discovery model.

Thanks

Maulik

View solution in original post

Bel_n Dom_nguez · ‎04-25-2019

Hi Maulik,

Thanks for your answer about this problem.

Finally, Vulnerable Items were created. The problem was on sn_vul_software table (Vulnerable Software). All the records had the field Software Discovery model empty.

I matched some of them manually and it worked to create some of Vulnerable Items.

It's my first time with VR module and I'm still trying to undertsand how it works.

I see a lot of dependency with how well populated is CMDB and I have some problems with that part because another team is running Discovery and they have some problems with it.

Thanks again for your answer!

Syed14 · ‎07-14-2019

Hi

I am also trying to understand the Vulnerability response module. Are you able to automate Vulnerable Item creation from vulnerable software? I have same issue that it doesn't pick up the software discovery model automatically and I have to create vulnerable item manually.

Thanks

maulik_shah · ‎07-14-2019

If the vulnerable software doesn't match the software discovery model exactly, the system doesn't create the vulnerable items. You will have to manually select the software discovery model.

Thanks

Maulik

Sebastiaan · ‎07-15-2019

Hi Belén,

I will not advise you to use SAM discovered application data to be matched against NVD for Vulnerability Response purposes for the following reasons:

1. For matching Vulnerable Application (CWE) information with SAM data an exact match is required. As this most of the time will not be the case, matching results will either create a lot of false positives or create no VIT’s at all;

2. The NVD data source is only able to report on Vulnerabilities when the related CVE & CWE numbers are released. In most cases this can take up to days if not weeks for newly discovered vulnerabilities. This means that if organisations only use the NVD for matching they will get an incorrect overview of their vulnerability attack landscape;

3.SAM data only provides application type and version information which is not enough to match it to related CWE information. Even though there might be a match it does not always mean the vulnerability actually exists within the customers environment. This only be properly tested by a Vulnerability Scanner which checks and verifies vulnerabilities using multiple techniques.

Due to above points, I would stress not to use Vulnerability Response without a proper Vulnerability Scanner. Only Vulnerability Scanners are able to provide relevant information for the creation of VIT’s which can then be further enriched by Vulnerability Response by leveraging; NVD, Exploit, Patch or SAM data.

I hope this helps

maulik_shah · ‎07-15-2019

Thanks Sebastian for providing additional context. Absolutely! this capability is not to replace the scanners at all because it doesn't serve the same purpose.